CVE-2023-31434

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

CVE-2023-31434

The CVE-2023-31434 issue affects evasys prior to 8.2 Build 2286 and 9.x prior to 9.0 Build 2401 where input validation is missing for parameters nutzer_titel, nutzer_vn, nutzer_nn (user profile) and langID/ONLINEID (direct links). This allows authenticated attackers to inject HTML code and XSS pa...

CVE-2023-31434

The parameters nutzertitel, nutzervn, and nutzernn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate input, which allows authenticated attackers to inject HTML Code and XSS payloads in multiple locations...

tagDiv Composer < 4.0 - Reflected Cross-site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Make a logged in admin open a page containing the HTML code below...

tagDiv Composer < 4.0 - Reflected Cross-site Scripting

The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin PoC Make a logged in admin open a page containing the HTML code below...

CVE-2023-29207 Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro

XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included...

GHSA-6VGH-9R3C-2CXP Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro

Impact The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included since XWiki 3.5M1 and doesn't require script rights, this can be demonstrated wit...

ChatBot < 4.4.5 - Stored XSS via CSRF

The plugin does not escape most of its settings before outputting them back in the dashboard, and does not have a proper CSRF check, allowing attackers to make a logged in admin set XSS payloads in them. Note: v4.4.5 fixed the CSRF issue, the lack of escaping was fixed in 4.5.1 and a separate iss...

Cross-Site Scripting Vulnerability in Cisco Unified Contact Center Express

Cisco Unified Contact Center Express is the customer relationship management component of a unified communications solution from the U.S. company Cisco Cisco. A cross-site scripting vulnerability exists in Cisco Unified Contact Center Express, which can be exploited by remote attackers to inject...

Debian: Security Advisory (DLA-673-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

TRENDnet TEW-652BRP Cross-Site Scripting Vulnerability

TRENDnet TEW-652BRP is a wireless router from TRENDnet USA. TRENDnet TEW-652BRP getset.ccp suffers from a cross-site scripting vulnerability, which allows remote attackers to exploit the vulnerability to inject malicious script or HTML code that can obtain sensitive information or hijack user...

CVE-2023-22971

Cross Site Scripting XSS vulnerability in Hughes Network Systems Router Terminal for HX200 v8.3.1.14, HX90 v6.11.0.5, HX50L v6.10.0.18, HN9460 v8.2.0.48, and HN7000S v6.9.0.37, allows unauthenticated attackers to misuse frames, include JS/HTML code and steal sensitive information from legitimate...

Gold Filled CRM 2.0 Arbitrary File Upload

==================================================================================================================================== | Title : Gold Filled CRM v 2.0 Remote File Upload vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox...

ROS-20221222-03

A vulnerability in the Moodle course management system is related to insufficient validation of user-entered data in the LTI vendor library. data in the LTI vendor's library. Exploitation of the vulnerability could allow an attacker acting remotely to send a specially crafted HTTP request and tri...

jquery: Untrusted code execution via <option> tag in HTML passed to DOM manipulation methods

A flaw was found in jQuery. HTML containing \ elements from untrusted sources are passed, even after sanitizing, to one of jQuery's DOM manipulation methods, which may execute untrusted code. The highest threat from this vulnerability is to data confidentiality and integrity...

Role Based Pricing for WooCommerce < 1.6.3 - Subscriber+ PHAR Deserialization

The plugin does not have authorisation and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog As a...

CVE-2022-3242 HTML code Injection in template search keyword in microweber/microweber

Code Injection in GitHub repository microweber/microweber prior to 1.3.2...

CVE-2022-3242 HTML code Injection in template search keyword in microweber/microweber

Code Injection in GitHub repository microweber/microweber prior to 1.3.2...

CVE-2022-40778

A stored Cross-Site Scripting XSS vulnerability in OPSWAT MetaDefender ICAP Server before 4.13.0 allows attackers to execute arbitrary JavaScript or HTML because of the blocked page response...

Input validation

insert HTML / js code inside input how to get to the vulnerable input : Workers worker nickname inject in this input the code...